TUCoPS :: Unix :: General
:: unix5037.htm
Using redirector '<<' invoking shells may create suid files in /tmp
29th Jan 2002 [SBWID-5037]
COMMAND
Using redirector \'<<\' invoking shells may create suid files in
/tmp
SYSTEMS AFFECTED
All ?? except BSDI and OpenBSD
PROBLEM
Editor\'s note : this is based on a CERT advisory initially released in
October 1991, for which we couldn\'t find an archive in our repository.
This issue reared it\'s head today due to a patch posted for Irix.
Based on CERT advisory [http://www.kb.cert.org/vuls/id/10277] :
When performing the \"<<\" redirection, /bin/sh creates a
temporary file in /tmp with a name based on the process id, writes
subsequent input out to that file, and then closes the file before
re-opening it as the standard input of the command to be executed. At
no stage are the results of the creat(), write(), or open() calls
checked for an error status.
If the sticky bit is not set on /tmp, the file can be simply removed,
and a new file created in its place. If the sticky bit is set, then it
is possible to guess what the file will be called and create it before
/bin/sh does (the creat() call performed by the shell does not result
in an open() call with O_EXCL set) and hence it is possible to maintain
a handle on the underlying file.
If a fifo is created in place of the temporary file it is particularly
easy to insert an extra command into the input transparently, and
without having to worry about ensuring the bug is exploited during the
narrow window of time in which it occurs.
Even without reading, creating this file may block the execution of
commands using the << operator. It may also be possible to create
a symbolic link named as the temporary file and pointed to any other
file on the system writable by the user of the shell, which may lead to
corruption of the file to which the link is pointed.
SOLUTION
Since the initial release of this advisory, probably all Unixes are
patched. SGI IRIX posted a patch today :
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10m yes 4469 Note 3
IRIX 6.5.10f yes 4470 Note 3
IRIX 6.5.11m yes 4469 Note 3
IRIX 6.5.11f yes 4470 Note 3
IRIX 6.5.12m yes 4469 Note 3
IRIX 6.5.12f yes 4470 Note 3
IRIX 6.5.13m yes 4469 Note 3
IRIX 6.5.13f yes 4470 Note 3
IRIX 6.5.14m no Note 3
IRIX 6.5.14f no Note 3
Compaq Tru64unix patch (30 January 2002)
http://ftp.support.compaq.com/patches/.new/unix.shtml